Portfolio

Portfolio

INTO THE (PRIVACY) BREACH - New Rules Required for Data Mining in Response to Challenges to Internet Privacy

In 1989, a New York Times article expressed concern that users communicating over “Internet” were susceptible to breaches in privacy. “Sophisticated users,” the article reported, “can easily intercept and read messages” (Mclellan, 1989). Officials of Internet were developing encryption keys that would provide greater security to its users — across 400 networks.

In 2015, this concern for privacy has not diminished; if anything, it has magnified. The concern is no longer simple breaches in communication. The greater threat to individual privacy is the upsurge of data collection and data mining by both governmental and private business entities of Internet users — 2.92 billion users across countless networks (Statista, 2015).

While many states have established statutes with the intent to protect individuals’ online privacy, changes in the use of data have mounted challenges against existing privacy laws. As private businesses and government security networks expand their international reach and data collection capacities, they have clashed with the current rule-makers for this issue: states’ domestic governments. Private business entities such as Google Inc., Facebook Inc., and Microsoft Corp., among others, are in the business of collecting and analyzing individuals’ personal data to extract consumer patterns, a process known as data mining. Government surveillance entities such as the U.S. National Security Agency, the U.K. Government Communication Headquarter, the German Bundesnachrichtendienst, and other security agencies have used data collection and data mining in an alleged attempts to suss out domestic and international security threats (Gellman, 2013). From Argentina to South Korea, numerous states possess internet privacy standards that differ in their protection of personal data and the prosecution of those who violate those standards (Information Shield, 2014). Privacy is recognized internationally as basic human right—it is codified in Article XII of the Universal Declaration of Human Rights—and several organizations have emerged to advocate on behalf of individual privacy in the Internet Age, such as Privacy International and the Electronic Frontier Foundation. In an attempt to understand these newfound challenges to privacy, it is important to understand the rules it challenges, the authority upon which it is based, and the change for which it advocates. Two case studies, Google’s attempts at international expansion and the revelations of the global reach of the NSA scandal, demonstrate that the challenges to rules on data collection and data mining are based on efficacious and delegated authority that seeks to alter rules so as to facilitate the market-minded interests of private corporations and the security interests of government intelligence agencies. However, the question remains whether this challenge can overcome the principled authority of the citizen’s right to privacy.

As Google attempts to expand its reach across the globe, it has encountered obstacles with domestic privacy statutes. It’s apparent disregard for state laws governing Internet privacy have quite frankly freaked folks out. Executive Chairman and former CEO of Google, Eric Schmidt has gone on record saying that Google’s policy is to “to get right up to the creepy line and not cross it” (Kalb, 2013). This “creepiness” includes mining email correspondence to serve up ad content relevant to involved parties and using cookies to track users’ online activity (Newman, 2013). Of greater international concern is Google’s “wi-spy” program, where its Street View cars illegally collected personal data from unencrypted Wi-Fi networks, violating the privacy laws of several states. The EU’s Data Protection Directive of 1995 bars companies from collecting such data and from transferring it across borders or to different companies. The revelation of this program sparked international investigations and general contempt, especially in Europe, where states are notably more privacy-sensitive than others. The Australian communication minister Stephen Conroy, called it “probably the single greatest breach in the history of privacy” (Streitfeld, 2012). Germany, France, and Spain launched investigations into Google. Privacy International filed a complaint with Scotland Yard. The U.S. Federal Communications Commission issued a $7 million fine against the company. But after the international investigations and the strongly worded condemnations, there has not been any overwhelming backlash for the “greatest breach in the history of privacy.” Google has been able to get away with its “creepiness” for so long on the basis of its efficacious authority.

Efficacious authority is derived when a task must be completed and an actor has been identified as competent in completing this task in such a manner that satisfies the community’s preferences (Avant, 2010). The average internet user has identified Google’s role as search engine and information gatherer as imperative in the Internet age—who better to “Google it” than Google? Indeed, when the company has become so pervasive in the modern Internet culture to the point that it’s part of our vernacular, it’s difficult to effectively prosecute its violation of this basic, universal civil liberty. And it’s unlikely that citizens will be able to launch a successful boycott on Google anytime soon (many of the sources in this article were Googled). Google’s efficacious authority has not only given it leeway to “creep,” it has also given it the authority to challenge the existing rule-makers on the issues of data collection and data mining. Fines have not stopped Google’s data collecting rampage, and it draws into question whether the existing rules will be changed to accommodate market-driven interests or individual privacy concerns.

On the other side of the spectrum is the collection and mining of data by government intelligence agencies, which has generally been viewed as a more egregious injustice in the eyes of the public. The Edward Snowden leak revealed that the NSA, along with twelve of its foreign counterparts, had instituted a global surveillance system through programs such as PRISM. The reports also revealed that the NSA had paid several companies for access to their communications networks. The NSA alone spend upwards of $278 million on these programs in 2013 (Timberg, 2013). The United Nations was even prompted to pass a resolution condemning the mass surveillance program, reaffirming the right to privacy in the internet age, and inviting the UN Human Rights Council to consider the establishment of a special procedure on the right to privacy (Privacy International, 2014). Reports showed that the data actively mined and analyzed belonged to “foreign targets,” in order to gather information on potential breaches of national security (Timberg, 2013). The establishment of this transnational intelligence agency flouted multiple states’ privacy laws, but was explained away by state officials as part of their delegated authority. These agencies were entrusted by states and their citizens with the authority to oversee national security through intelligence gathering, through any means as they saw fit. But do these means include disregarding domestic privacy statutes for the sake of some “greater good”? This appears to be the argument of many national intelligence agencies: “We’re not spying on you—we’re protecting you.” With the authority we have delegated to them, it is difficult to argue against their intent. Through their collection and analysis of private data, government intelligence agencies appear to advocate for changes to the rules that would grant exceptions to the right of privacy in the face of some “clear and imminent danger.” While the clear and imminent danger question has already been asked and answered in the United States, that is certainly not true of other nations. Given the transnational nature of this security network and the regional differences in privacy norms, the NSA and company are not only challenging domestic internet privacy statutes, they raise the question of whether international internet privacy regulations should be established.

The challenges to Internet privacy by private corporations and government intelligence agencies raise a greater question: when must privacy come second? In the Google case it seems clear. When blatant violations of privacy are market-driven, the principled authority of private citizens outranks the efficacious authority of service providers. The moral claim of citizens to the universally recognized right of privacy should provide an insurmountable obstacle to those that challenge domestic privacy laws. In the global surveillance case, the answer may not be as clear. While government data collection and data mining of private data—without consent—is deplorable, if it can provide some “greater good” by protecting national security, then a new debate arises. Is this greater good worth it? But without evidence that indicates data collection and mining prevents criminal acts that pose a threat to the national security, then once again the principled authority of the private citizen ought to come first. But the relative authority of the the efficacious and delegated surpasses the authority of the principled in this issue. While private citizens may righteously claim a right to privacy, they are outmatched by the power and resources of their challengers—big business and the government.